Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: IIS 6 FTP

From: Sickle <sickle () videotron ca>
Date: Sat, 09 Oct 2004 01:20:08 -0500
1.

Maybe you should try this : go to the Security tab of your root folder,
click the button Advanced, activate the option "Reset permissions on all
child objects and enable probagation of inheritable permissions" and click
Ok, and Ok again.

Before you do this, look if Users or Everyone or another group does not give
other permissions to your users. Also, if the option "Allow inheritable
permissions from parent to propagate..." in the Security tab of your root
folder is activated, it's a good idea to deactivate this option and to
choose to make a copy before doing any modification.

You should not have to deny Write permission.

2.

I don't know, sorry.

-----Message d'origine-----
De : Tyler, Grayling [mailto:ggtyler () foodlion com]
Envoye : October 08, 2004 13:00
A : security-basics () securityfocus com
Objet : IIS 6 FTP


Couple of questions for the list.

1. I set up an non-isolation mode FTP site using a Virtual directory on
the server. I configured permissions using two groups:
Group       NTFS settings
FTP_Read  Read & Execute, List Folder Contents, Read with Write set to
Deny
FTP_Write Modify, Read & Execute, List Folder Contents, Read and Write

The FTP site is configured to allow read and write and anonymous access
is turned off (basic authentication)

When I log in as the user with Write permissions, it works as expected
However, when I log in as the read only user, the user is allowed both
read and write files.  The only thing the account is limited from doing
is writing over or deleting a file loaded by the Write FTP user.

So what am I missing here?

2. Any one know how to turn off the FTP server identification string on
IIS?

Thanks all
**************************************************************************
This electronic message may contain confidential or privileged information
and is intended for the individual or entity named above.  If you are
not the intended recipient, be aware that any disclosure, copying,
distribution or use of the contents of this information is prohibited.
If you have received this electronic transmission in error, please notify
the sender immediately by using the e-mail address or by telephone
(704-633-8250).
**************************************************************************
Previous By Date Next
Previous By Thread Next

Current thread: